CVE-2024-6866
- EPSS 0.16%
- Veröffentlicht 20.03.2025 10:10:59
- Zuletzt bearbeitet 03.11.2025 20:17:04
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in ...
CVE-2024-6844
- EPSS 0.07%
- Veröffentlicht 20.03.2025 10:10:51
- Zuletzt bearbeitet 03.11.2025 20:17:04
A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a s...
CVE-2024-6839
- EPSS 0.29%
- Veröffentlicht 20.03.2025 10:09:42
- Zuletzt bearbeitet 03.11.2025 20:17:03
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to s...
CVE-2024-6221
- EPSS 0.64%
- Veröffentlicht 18.08.2024 19:15:04
- Zuletzt bearbeitet 07.04.2025 15:15:42
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to signifi...
CVE-2024-1681
- EPSS 0.15%
- Veröffentlicht 19.04.2024 20:15:09
- Zuletzt bearbeitet 03.11.2025 20:16:09
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulner...